Note

 

This trend report on the deep web and dark web of January 2024 is sectioned into Ransomware, Forums & Black Markets, and Threat Actors. We would like to state beforehand that some of the content has yet to be confirmed to be true.

 

Major Issues 

 

1)  Ransomwares

 

(1) Black Basta
 

The Black Basta ransomware gang was first identified in April 2022, and throughout 2023, it consistently ranked among the most active ransomware gangs by frequently posting victims on their dedicated leak site (DLS). However, on January 3, 2024, their DLS ceased to operate for unknown reasons.

 

Figure 1. Screen displayed in TOR browser when unable to access an Onionsite 

 

This situation lasted for about 10 days, after which the site returned to normal. Some security researchers suggested that the closure was not due to a take-down by law enforcement authorities, citing that that could not have been the case since the chatting and payment sites for negotiations were still operational. Even now, the exact reason why their DLS was closed has not been ascertained.

According to Malwarebytes, researchers at SRLabs developed a decryption tool exploiting a flaw in the encryption algorithm of the Black Basta ransomware.¹ This tool is said to decrypt files that were encrypted between November 2022 and December 2023. ² The bug was reportedly fixed in mid-December by the gang, rendering decryption impossible for the most recent encrypted files.

In January 2024, the Black Basta ransomware gang listed a global glass manufacturing company in Japan as a victim, leaking approximately 1.5 TB of data, including personal user folders, technologies, personnel, and financial information. ³ AGC Inc. (formerly Asahi Glass Co., Ltd.) is a global glass manufacturing company headquartered in Tokyo, Japan, and is one of the core companies of the Mitsubishi Group, the world’s largest glass company.

 

Figure 2. AGC posted on the Black Basta ransomware gang’s DLS 

 

As evidence of the data leakage, the ransomware gang publicly disclosed a list of personal user folders as well as several passport and visa photos of individuals assumed to be employees.

 

Figure 3. Materials presented as evidence of the data leakage 

 

There are several main reasons why ransomware gangs would expose sensitive information such as passport photos of employees.

 

Reason	Details
Method of threat	Ransomware gangs use the exposure of personal information as a means of pressure on victimized companies. These actions are aimed at forcing the affected companies to pay the ransom.
Presentation of evidence	Threat actors release this information to prove that they have infiltrated the systems of affected companies and exfiltrated data. This makes it undeniable for the affected companies to deny the fact of the attack.
Ripple effect	The exposure of personal information not only affects victimized companies but also impacts their customers, employees, partners, etc. This can potentially deal a severe blow to the affected company’s business operations.

Most cybercriminals like Black Basta primarily pursue economic gains, and like many ransomware attacks, they often demand ransoms reaching into the millions of dollars. The targets of this gang’s attacks are typically in English-speaking countries (FVEY, Five Eyes – US, UK, Canada, Australia, New Zealand), indicating a political motive behind their actions unlike other ransomware gangs.

 

(2) LockBit

 

In January 2024, LockBit was again identified as the most aggressive ransomware gang. This month, the gang posted about 62 victims on their DLS, with education, healthcare, and manufacturing being their primary targets.
 

The gang has an internal rule not to attack non-profit organizations and hospitals. However, this month, they attacked capitalhealth.org, a medical center in New Jersey, US. To avoid disrupting patient care, they did not encrypt files but instead leaked data, threatening to expose sensitive medical data if the ransom demands were not met.4 The hospital reportedly experienced IT outages for about a week due to this attack

 

---

1 https://www.malwarebytes.com/blog/news/2024/01/oops-black-basta-ransomware-flubs-encryption

2 https://github.com/srlabs/black-basta-buster

3 https://atip.ahnlab.com/intelligence/view?id=b41a0155-dce0-410d-bc15-fd00acacb78f